From 65ceacef3f8e08ba56c8d97a69766af3d92da973 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 1 Jun 2021 12:32:46 +0200 Subject: [PATCH 1/2] Add system tests for httpjson input --- packages/windows/_dev/build/docs/README.md | 6 + .../_dev/deploy/docker/docker-compose.yml | 50 + .../docker/sample_logs/forwarded.json.log | 1 + .../docker/sample_logs/powershell.json.log | 1 + .../powershell_operational.json.log | 1 + .../sample_logs/sysmon_operational.json.log | 1 + packages/windows/changelog.yml | 8 + .../_dev/test/system/test-default-config.yml | 10 + .../data_stream/forwarded/fields/beats.yml | 3 + .../data_stream/forwarded/sample_event.json | 75 + .../_dev/test/system/test-default-config.yml | 10 + .../data_stream/powershell/fields/beats.yml | 3 + .../data_stream/powershell/sample_event.json | 82 + .../_dev/test/system/test-default-config.yml | 10 + .../powershell_operational/fields/beats.yml | 3 + .../powershell_operational/sample_event.json | 75 + .../pipeline/test-events.json-expected.json | 1421 ++++++++++++----- .../_dev/test/system/test-default-config.yml | 10 + .../elasticsearch/ingest_pipeline/default.yml | 3 +- .../sysmon_operational/fields/base-fields.yml | 5 + .../sysmon_operational/fields/beats.yml | 3 + .../sysmon_operational/sample_event.json | 124 ++ packages/windows/docs/README.md | 304 +++- packages/windows/manifest.yml | 2 +- 24 files changed, 1851 insertions(+), 360 deletions(-) create mode 100644 packages/windows/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log create mode 100644 packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log create mode 100644 packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log create mode 100644 packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log create mode 100644 packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml create mode 100644 packages/windows/data_stream/forwarded/fields/beats.yml create mode 100644 packages/windows/data_stream/forwarded/sample_event.json create mode 100644 packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml create mode 100644 packages/windows/data_stream/powershell/fields/beats.yml create mode 100644 packages/windows/data_stream/powershell/sample_event.json create mode 100644 packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml create mode 100644 packages/windows/data_stream/powershell_operational/fields/beats.yml create mode 100644 packages/windows/data_stream/powershell_operational/sample_event.json create mode 100644 packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml create mode 100644 packages/windows/data_stream/sysmon_operational/fields/beats.yml create mode 100644 packages/windows/data_stream/sysmon_operational/sample_event.json diff --git a/packages/windows/_dev/build/docs/README.md b/packages/windows/_dev/build/docs/README.md index 8d4859a9d81..98083826d70 100644 --- a/packages/windows/_dev/build/docs/README.md +++ b/packages/windows/_dev/build/docs/README.md @@ -46,6 +46,8 @@ channel specific datasets. The Windows `powershell` dataset provides events from the Windows `Windows PowerShell` event log. +{{event "powershell"}} + {{fields "powershell"}} ### Powershell/Operational @@ -53,6 +55,8 @@ The Windows `powershell` dataset provides events from the Windows The Windows `powershell_operational` dataset provides events from the Windows `Microsoft-Windows-PowerShell/Operational` event log. +{{event "powershell_operational"}} + {{fields "powershell_operational"}} ### Sysmon/Operational @@ -60,4 +64,6 @@ The Windows `powershell_operational` dataset provides events from the Windows The Windows `sysmon_operational` dataset provides events from the Windows `Microsoft-Windows-Sysmon/Operational` event log. +{{event "sysmon_operational"}} + {{fields "sysmon_operational"}} \ No newline at end of file diff --git a/packages/windows/_dev/deploy/docker/docker-compose.yml b/packages/windows/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..7a5ad05e4fd --- /dev/null +++ b/packages/windows/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,50 @@ +version: '2.3' +services: + forwarded: + image: docker.elastic.co/observability/stream:v0.4.0 + ports: + - 8080 + volumes: + - ./sample_logs:/sample_logs:ro + command: + - log + - --start-signal=SIGHUP + - --addr=:8080 + - -p=http-server + - /sample_logs/forwarded.json.log + powershell: + image: docker.elastic.co/observability/stream:v0.4.0 + ports: + - 8080 + volumes: + - ./sample_logs:/sample_logs:ro + command: + - log + - --start-signal=SIGHUP + - --addr=:8080 + - -p=http-server + - /sample_logs/powershell.json.log + powershell-operational: + image: docker.elastic.co/observability/stream:v0.4.0 + ports: + - 8080 + volumes: + - ./sample_logs:/sample_logs:ro + command: + - log + - --start-signal=SIGHUP + - --addr=:8080 + - -p=http-server + - /sample_logs/powershell_operational.json.log + sysmon-operational: + image: docker.elastic.co/observability/stream:v0.4.0 + ports: + - 8080 + volumes: + - ./sample_logs:/sample_logs:ro + command: + - log + - --start-signal=SIGHUP + - --addr=:8080 + - -p=http-server + - /sample_logs/sysmon_operational.json.log diff --git a/packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log b/packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log new file mode 100644 index 00000000000..f9ff65c69e7 --- /dev/null +++ b/packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log @@ -0,0 +1 @@ +{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log b/packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log new file mode 100644 index 00000000000..8623d9c6bd9 --- /dev/null +++ b/packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log @@ -0,0 +1 @@ +{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "600460x800000000000001089Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x800000000000001266Windows PowerShellvagrantRegistryStarted\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x8000000000000018640Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log b/packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log new file mode 100644 index 00000000000..f9ff65c69e7 --- /dev/null +++ b/packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log @@ -0,0 +1 @@ +{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log b/packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log new file mode 100644 index 00000000000..33c2cbeffe1 --- /dev/null +++ b/packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log @@ -0,0 +1 @@ +{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "22542200x800000000000000067Microsoft-Windows-Sysmon/Operationalvagrant-20162019-07-18 03:34:01.261{fa4a0de6-e8a9-5d2f-0000-001053699900}2736www.msn.com0type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 355c68ee2ac..91eb4218635 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "0.8.2" + changes: + - description: Add system tests for Splunk http inputs and improve README. + type: enhancement + link: https://github.com/elastic/integrations/pull/1044 + - description: Fix sysmon pipeline when processing `dns.resolved_ip`. + type: bugfix + link: https://github.com/elastic/integrations/pull/1044 - version: "0.8.1" changes: - description: Fix security pipeline to support string event.code. diff --git a/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c917a6b9530 --- /dev/null +++ b/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml @@ -0,0 +1,10 @@ +input: httpjson +service: forwarded +service_notify_signal: SIGHUP +vars: + url: http://{{Hostname}}:{{Port}}/api/v1/logs + username: test + password: test +data_stream: + vars: + preserve_original_event: true diff --git a/packages/windows/data_stream/forwarded/fields/beats.yml b/packages/windows/data_stream/forwarded/fields/beats.yml new file mode 100644 index 00000000000..3c48f1f224f --- /dev/null +++ b/packages/windows/data_stream/forwarded/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/data_stream/forwarded/sample_event.json b/packages/windows/data_stream/forwarded/sample_event.json new file mode 100644 index 00000000000..9bea306f37d --- /dev/null +++ b/packages/windows/data_stream/forwarded/sample_event.json @@ -0,0 +1,75 @@ +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b", + "hostname": "docker-fleet-agent", + "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.13.0" + }, + "data_stream": { + "dataset": "windows.forwarded", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.9.0" + }, + "elastic_agent": { + "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322", + "snapshot": true, + "version": "7.13.0" + }, + "event": { + "category": "process", + "code": "4105", + "created": "2021-06-01T10:22:56.365Z", + "dataset": "windows.forwarded", + "ingested": "2021-06-01T10:22:57.387144900Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} \ No newline at end of file diff --git a/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..bb647f0a2b5 --- /dev/null +++ b/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml @@ -0,0 +1,10 @@ +input: httpjson +service: powershell +service_notify_signal: SIGHUP +vars: + url: http://{{Hostname}}:{{Port}}/api/v1/logs + username: test + password: test +data_stream: + vars: + preserve_original_event: true diff --git a/packages/windows/data_stream/powershell/fields/beats.yml b/packages/windows/data_stream/powershell/fields/beats.yml new file mode 100644 index 00000000000..3c48f1f224f --- /dev/null +++ b/packages/windows/data_stream/powershell/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/data_stream/powershell/sample_event.json b/packages/windows/data_stream/powershell/sample_event.json new file mode 100644 index 00000000000..df66403094e --- /dev/null +++ b/packages/windows/data_stream/powershell/sample_event.json @@ -0,0 +1,82 @@ +{ + "@timestamp": "2020-05-13T13:21:43.183Z", + "agent": { + "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b", + "hostname": "docker-fleet-agent", + "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.13.0" + }, + "data_stream": { + "dataset": "windows.powershell", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.9.0" + }, + "elastic_agent": { + "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322", + "snapshot": true, + "version": "7.13.0" + }, + "event": { + "category": "process", + "code": "600", + "created": "2021-06-01T10:23:48.533Z", + "dataset": "windows.powershell", + "ingested": "2021-06-01T10:23:49.554043100Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "tags": [ + "forwarded" + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1089" + } +} \ No newline at end of file diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c2870ada221 --- /dev/null +++ b/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml @@ -0,0 +1,10 @@ +input: httpjson +service: powershell-operational +service_notify_signal: SIGHUP +vars: + url: http://{{Hostname}}:{{Port}}/api/v1/logs + username: test + password: test +data_stream: + vars: + preserve_original_event: true diff --git a/packages/windows/data_stream/powershell_operational/fields/beats.yml b/packages/windows/data_stream/powershell_operational/fields/beats.yml new file mode 100644 index 00000000000..3c48f1f224f --- /dev/null +++ b/packages/windows/data_stream/powershell_operational/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/data_stream/powershell_operational/sample_event.json b/packages/windows/data_stream/powershell_operational/sample_event.json new file mode 100644 index 00000000000..4bd2b964c63 --- /dev/null +++ b/packages/windows/data_stream/powershell_operational/sample_event.json @@ -0,0 +1,75 @@ +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b", + "hostname": "docker-fleet-agent", + "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.13.0" + }, + "data_stream": { + "dataset": "windows.powershell_operational", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.9.0" + }, + "elastic_agent": { + "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322", + "snapshot": true, + "version": "7.13.0" + }, + "event": { + "category": "process", + "code": "4105", + "created": "2021-06-01T10:24:43.254Z", + "dataset": "windows.powershell_operational", + "ingested": "2021-06-01T10:24:44.277129100Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} \ No newline at end of file diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index ec482d8fcfa..da69045fb6c 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -73,11 +73,11 @@ "go.microsoft.com" ], "ip": [ - "_ingest._value" + "23.223.14.67" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303220Z", + "ingested": "2021-06-01T09:52:58.850006900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -169,11 +169,11 @@ "www.msn.com" ], "ip": [ - "_ingest._value" + "204.79.197.203" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303229700Z", + "ingested": "2021-06-01T09:52:58.850024Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -253,7 +253,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303235100Z", + "ingested": "2021-06-01T09:52:58.850029500Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -345,11 +345,12 @@ "static-global-s-msn-com.akamaized.net" ], "ip": [ - "_ingest._value" + "23.50.53.192", + "23.50.53.195" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303240500Z", + "ingested": "2021-06-01T09:52:58.850036900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -446,11 +447,12 @@ "www.bing.com" ], "ip": [ - "_ingest._value" + "204.79.197.200", + "13.107.21.200" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303245800Z", + "ingested": "2021-06-01T09:52:58.850046Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -518,7 +520,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303251100Z", + "ingested": "2021-06-01T09:52:58.850054600Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -593,7 +595,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303256200Z", + "ingested": "2021-06-01T09:52:58.850062800Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -685,11 +687,11 @@ "linkmaker.itunes.apple.com" ], "ip": [ - "_ingest._value" + "23.64.104.249" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303261300Z", + "ingested": "2021-06-01T09:52:58.850071200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -785,11 +787,14 @@ "confiant-integrations.global.ssl.fastly.net" ], "ip": [ - "_ingest._value" + "151.101.1.194", + "151.101.65.194", + "151.101.129.194", + "151.101.193.194" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303266500Z", + "ingested": "2021-06-01T09:52:58.850079300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -876,11 +881,11 @@ "c.msn.com" ], "ip": [ - "_ingest._value" + "20.36.253.92" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303271700Z", + "ingested": "2021-06-01T09:52:58.850088Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -977,11 +982,12 @@ "c.bing.com" ], "ip": [ - "_ingest._value" + "13.107.21.200", + "204.79.197.200" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303277Z", + "ingested": "2021-06-01T09:52:58.850096Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1063,11 +1069,11 @@ "contextual.media.net" ], "ip": [ - "_ingest._value" + "23.52.167.93" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303282500Z", + "ingested": "2021-06-01T09:52:58.850099800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1169,11 +1175,11 @@ "at.atwola.com" ], "ip": [ - "_ingest._value" + "152.195.32.120" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303287700Z", + "ingested": "2021-06-01T09:52:58.850105500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1305,11 +1311,19 @@ "m.adnxs.com" ], "ip": [ - "_ingest._value" + "204.13.192.56", + "204.13.192.120", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303293Z", + "ingested": "2021-06-01T09:52:58.850111500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1396,11 +1410,11 @@ "cms.analytics.yahoo.com" ], "ip": [ - "_ingest._value" + "74.6.137.78" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303316400Z", + "ingested": "2021-06-01T09:52:58.850118600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1492,11 +1506,11 @@ "cvision.media.net" ], "ip": [ - "_ingest._value" + "23.52.167.93" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303321600Z", + "ingested": "2021-06-01T09:52:58.850122900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1593,11 +1607,12 @@ "g.bing.com" ], "ip": [ - "_ingest._value" + "204.79.197.200", + "13.107.21.200" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303325100Z", + "ingested": "2021-06-01T09:52:58.850128900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1679,11 +1694,11 @@ "lg3.media.net" ], "ip": [ - "_ingest._value" + "23.52.167.93" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303329400Z", + "ingested": "2021-06-01T09:52:58.850133600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1780,11 +1795,13 @@ "service.sp.advertising.com" ], "ip": [ - "_ingest._value" + "54.88.96.255", + "34.233.100.168", + "54.209.58.223" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303334700Z", + "ingested": "2021-06-01T09:52:58.850139800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1846,7 +1863,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303359900Z", + "ingested": "2021-06-01T09:52:58.850144300Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1937,11 +1954,11 @@ "sb.scorecardresearch.com" ], "ip": [ - "_ingest._value" + "184.25.176.117" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303364200Z", + "ingested": "2021-06-01T09:52:58.850150100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2033,11 +2050,11 @@ "otf.msn.com" ], "ip": [ - "_ingest._value" + "40.114.54.223" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303368800Z", + "ingested": "2021-06-01T09:52:58.850158600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2105,7 +2122,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303374200Z", + "ingested": "2021-06-01T09:52:58.850167200Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2166,7 +2183,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303378400Z", + "ingested": "2021-06-01T09:52:58.850175900Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2282,11 +2299,18 @@ "ping.chartbeat.net" ], "ip": [ - "_ingest._value" + "35.171.101.225", + "34.196.57.87", + "34.194.164.46", + "34.233.181.142", + "34.194.167.169", + "34.193.242.172", + "34.234.152.11", + "34.206.12.124" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303382700Z", + "ingested": "2021-06-01T09:52:58.850184300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2382,11 +2406,14 @@ "clarium.freetls.fastly.net" ], "ip": [ - "_ingest._value" + "151.101.194.79", + "151.101.2.79", + "151.101.66.79", + "151.101.130.79" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303386300Z", + "ingested": "2021-06-01T09:52:58.850192700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2528,11 +2555,23 @@ "nym1-ib.adnxs.com" ], "ip": [ - "_ingest._value" + "68.67.178.252", + "68.67.179.11", + "68.67.179.228", + "68.67.178.184", + "204.13.192.141", + "68.67.180.43", + "68.67.179.23", + "68.67.179.197", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303390800Z", + "ingested": "2021-06-01T09:52:58.850201100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2664,11 +2703,19 @@ "eb2.3lift.com" ], "ip": [ - "_ingest._value" + "34.196.86.129", + "34.233.250.110", + "18.209.244.108", + "34.224.204.11", + "34.237.44.255", + "3.210.231.21", + "54.172.198.255", + "34.199.186.227", + "192.5.6.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303396300Z", + "ingested": "2021-06-01T09:52:58.850209300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2812,11 +2859,20 @@ "px.ads.linkedin.com" ], "ip": [ - "_ingest._value" + "108.174.10.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303402400Z", + "ingested": "2021-06-01T09:52:58.850218400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2918,11 +2974,13 @@ "login.live.com" ], "ip": [ - "_ingest._value" + "40.90.23.239", + "40.90.23.213", + "40.90.23.154" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303407600Z", + "ingested": "2021-06-01T09:52:58.850227Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3066,11 +3124,22 @@ "dis.criteo.com" ], "ip": [ - "_ingest._value" + "74.119.119.150", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303413500Z", + "ingested": "2021-06-01T09:52:58.850235700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3212,11 +3281,21 @@ "ib.adnxs.com" ], "ip": [ - "_ingest._value" + "68.67.180.12", + "68.67.179.228", + "68.67.180.44", + "204.13.192.141", + "68.67.178.230", + "68.67.178.252", + "68.67.179.23", + "68.67.179.232", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303419Z", + "ingested": "2021-06-01T09:52:58.850244600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3303,11 +3382,11 @@ "cm.g.doubleclick.net" ], "ip": [ - "_ingest._value" + "172.217.10.34" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303425500Z", + "ingested": "2021-06-01T09:52:58.850253Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3439,11 +3518,20 @@ "match.adsrvr.org" ], "ip": [ - "_ingest._value" + "54.208.129.24", + "54.175.5.93", + "52.86.210.96", + "3.93.252.59", + "54.86.97.130", + "34.194.239.194", + "3.94.67.102", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303430900Z", + "ingested": "2021-06-01T09:52:58.850261400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3535,11 +3623,11 @@ "ssum-sec.casalemedia.com" ], "ip": [ - "_ingest._value" + "23.52.162.21" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303436500Z", + "ingested": "2021-06-01T09:52:58.850270Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3671,11 +3759,20 @@ "protected-by.clarium.io" ], "ip": [ - "_ingest._value" + "18.204.130.216", + "18.209.246.43", + "107.23.153.61", + "18.235.141.27", + "3.210.79.248", + "18.209.146.43", + "18.210.64.206", + "18.214.161.226", + "192.5.6.30", + "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303441800Z", + "ingested": "2021-06-01T09:52:58.850278600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3762,11 +3859,11 @@ "pagead2.googlesyndication.com" ], "ip": [ - "_ingest._value" + "172.217.10.66" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303447300Z", + "ingested": "2021-06-01T09:52:58.850288Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3853,11 +3950,11 @@ "googleads.g.doubleclick.net" ], "ip": [ - "_ingest._value" + "172.217.10.66" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303452700Z", + "ingested": "2021-06-01T09:52:58.850300100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3984,11 +4081,18 @@ "pixel.advertising.com" ], "ip": [ - "_ingest._value" + "52.22.184.73", + "54.152.30.174", + "3.213.70.197", + "54.158.57.141", + "52.6.39.34", + "52.0.113.251", + "3.213.8.28", + "3.215.246.105" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303458100Z", + "ingested": "2021-06-01T09:52:58.850309500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4105,11 +4209,15 @@ "onevideosync.uplynk.com" ], "ip": [ - "_ingest._value" + "54.210.214.197", + "52.202.202.147", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303464200Z", + "ingested": "2021-06-01T09:52:58.850318300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4159,7 +4267,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303469900Z", + "ingested": "2021-06-01T09:52:58.850327Z", "code": "16", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4244,11 +4352,11 @@ "ad.turn.com" ], "ip": [ - "_ingest._value" + "50.116.194.21" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303475400Z", + "ingested": "2021-06-01T09:52:58.850335800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4370,11 +4478,18 @@ "ups.analytics.yahoo.com" ], "ip": [ - "_ingest._value" + "34.225.20.218", + "3.216.14.125", + "52.200.28.150", + "3.216.103.132", + "52.4.86.222", + "52.21.200.160", + "3.216.249.238", + "3.94.175.146" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303480800Z", + "ingested": "2021-06-01T09:52:58.850344700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4511,11 +4626,21 @@ "pm.w55c.net" ], "ip": [ - "_ingest._value" + "34.237.248.89", + "35.153.21.25", + "52.200.238.112", + "52.206.93.38", + "34.227.35.137", + "35.169.96.208", + "52.22.206.42", + "52.201.81.61", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303486300Z", + "ingested": "2021-06-01T09:52:58.850353300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4652,11 +4777,22 @@ "cm.eyereturn.com" ], "ip": [ - "_ingest._value" + "35.186.239.238", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303490300Z", + "ingested": "2021-06-01T09:52:58.850362200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4743,11 +4879,11 @@ "www.googletagservices.com" ], "ip": [ - "_ingest._value" + "172.217.10.66" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303495200Z", + "ingested": "2021-06-01T09:52:58.850371100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4884,11 +5020,21 @@ "cm.adgrx.com" ], "ip": [ - "_ingest._value" + "173.231.178.117", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303500600Z", + "ingested": "2021-06-01T09:52:58.850380Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5020,11 +5166,19 @@ "csm2waycm-atl.netmng.com" ], "ip": [ - "_ingest._value" + "104.193.83.156", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303505700Z", + "ingested": "2021-06-01T09:52:58.850388700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5076,7 +5230,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303509800Z", + "ingested": "2021-06-01T09:52:58.850397500Z", "code": "4", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5161,11 +5315,11 @@ "pr-bh.ybp.yahoo.com" ], "ip": [ - "_ingest._value" + "72.30.2.182" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303514500Z", + "ingested": "2021-06-01T09:52:58.850406100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5247,11 +5401,11 @@ "ps.eyeota.net" ], "ip": [ - "_ingest._value" + "3.83.220.223" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303520100Z", + "ingested": "2021-06-01T09:52:58.850469200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:3.83.220.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5348,7 +5502,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303524400Z", + "ingested": "2021-06-01T09:52:58.850479Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5457,11 +5611,12 @@ "idpix.media6degrees.com" ], "ip": [ - "_ingest._value" + "204.2.197.201", + "204.2.197.211" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303528700Z", + "ingested": "2021-06-01T09:52:58.850488100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5588,11 +5743,19 @@ "tpc.googlesyndication.com" ], "ip": [ - "_ingest._value" + "172.217.10.1", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303532400Z", + "ingested": "2021-06-01T09:52:58.850496800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5695,7 +5858,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-05-06T11:45:02.303537400Z", + "ingested": "2021-06-01T09:52:58.850505800Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5827,11 +5990,19 @@ "image2.pubmatic.com" ], "ip": [ - "_ingest._value" + "162.248.19.147", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303543Z", + "ingested": "2021-06-01T09:52:58.850514500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5928,11 +6099,11 @@ "sam.msn.com" ], "ip": [ - "_ingest._value" + "204.79.197.203" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303547800Z", + "ingested": "2021-06-01T09:52:58.850523100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6069,11 +6240,22 @@ "ocsp.sca1b.amazontrust.com" ], "ip": [ - "_ingest._value" + "52.85.89.250", + "52.85.89.94", + "52.85.89.22", + "52.85.89.139", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303553200Z", + "ingested": "2021-06-01T09:52:58.850531900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6170,11 +6352,12 @@ "c1.adform.net" ], "ip": [ - "_ingest._value" + "185.167.164.43", + "185.167.164.42" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303558600Z", + "ingested": "2021-06-01T09:52:58.850540600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6291,11 +6474,16 @@ "urs.microsoft.com" ], "ip": [ - "_ingest._value" + "40.84.140.84", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303564Z", + "ingested": "2021-06-01T09:52:58.850549300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6387,11 +6575,11 @@ "dsum-sec.casalemedia.com" ], "ip": [ - "_ingest._value" + "23.52.162.21" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303569500Z", + "ingested": "2021-06-01T09:52:58.850554200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6478,11 +6666,11 @@ "ocsp.godaddy.com" ], "ip": [ - "_ingest._value" + "72.167.239.239" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303575Z", + "ingested": "2021-06-01T09:52:58.850558Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6556,7 +6744,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303580300Z", + "ingested": "2021-06-01T09:52:58.850563800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6630,7 +6818,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303585700Z", + "ingested": "2021-06-01T09:52:58.850570300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6683,7 +6871,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303591200Z", + "ingested": "2021-06-01T09:52:58.850577800Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6813,11 +7001,20 @@ "ocsp.usertrust.com" ], "ip": [ - "_ingest._value" + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303596600Z", + "ingested": "2021-06-01T09:52:58.850586600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6914,11 +7111,12 @@ "isrg.trustid.ocsp.identrust.com" ], "ip": [ - "_ingest._value" + "23.50.53.179", + "23.50.53.176" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303602Z", + "ingested": "2021-06-01T09:52:58.850592300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7005,11 +7203,11 @@ "ad.doubleclick.net" ], "ip": [ - "_ingest._value" + "172.217.6.198" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303607400Z", + "ingested": "2021-06-01T09:52:58.850598500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7062,7 +7260,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303612700Z", + "ingested": "2021-06-01T09:52:58.850607300Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7192,11 +7390,20 @@ "ocsp.sectigo.com" ], "ip": [ - "_ingest._value" - ] - }, - "event": { - "ingested": "2021-05-06T11:45:02.303618200Z", + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "event": { + "ingested": "2021-06-01T09:52:58.850613100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7296,7 +7503,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303623700Z", + "ingested": "2021-06-01T09:52:58.850618800Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7373,7 +7580,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303629300Z", + "ingested": "2021-06-01T09:52:58.850622900Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ea00:203:3000:3000:3000:3000:3000:3300\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7453,7 +7660,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303633400Z", + "ingested": "2021-06-01T09:52:58.850629900Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7533,7 +7740,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303638500Z", + "ingested": "2021-06-01T09:52:58.850661Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7613,7 +7820,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303643800Z", + "ingested": "2021-06-01T09:52:58.850667600Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7712,11 +7919,12 @@ "ocsp.int-x3.letsencrypt.org" ], "ip": [ - "_ingest._value" + "23.50.53.179", + "23.50.53.177" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303648600Z", + "ingested": "2021-06-01T09:52:58.850674600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7848,11 +8056,20 @@ "ocsp.pki.goog" ], "ip": [ - "_ingest._value" + "172.217.12.195", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303652700Z", + "ingested": "2021-06-01T09:52:58.850684100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7929,7 +8146,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303657700Z", + "ingested": "2021-06-01T09:52:58.850705800Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8018,11 +8235,11 @@ "googleads4.g.doubleclick.net" ], "ip": [ - "_ingest._value" + "172.217.10.34" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303663400Z", + "ingested": "2021-06-01T09:52:58.850710900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8106,7 +8323,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303667800Z", + "ingested": "2021-06-01T09:52:58.850717700Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8210,11 +8427,14 @@ "images.taboola.com" ], "ip": [ - "_ingest._value" + "151.101.2.2", + "151.101.66.2", + "151.101.130.2", + "151.101.194.2" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303672100Z", + "ingested": "2021-06-01T09:52:58.850743100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8292,7 +8512,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303675800Z", + "ingested": "2021-06-01T09:52:58.850752100Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8371,7 +8591,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303680300Z", + "ingested": "2021-06-01T09:52:58.850756600Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:4300:6800:7200:6f00:6d00:6500\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8449,7 +8669,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303686Z", + "ingested": "2021-06-01T09:52:58.850762700Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8527,7 +8747,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303691400Z", + "ingested": "2021-06-01T09:52:58.850768700Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8606,7 +8826,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303696700Z", + "ingested": "2021-06-01T09:52:58.850775700Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8685,7 +8905,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303702200Z", + "ingested": "2021-06-01T09:52:58.850780300Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea9fe:b419:0:0:f880:2301:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:0:0:0:0:0:0\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8767,7 +8987,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-05-06T11:45:02.303707700Z", + "ingested": "2021-06-01T09:52:58.850786900Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8849,7 +9069,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-05-06T11:45:02.303713200Z", + "ingested": "2021-06-01T09:52:58.850795900Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8928,7 +9148,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303718600Z", + "ingested": "2021-06-01T09:52:58.850804800Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9032,11 +9252,14 @@ "api-s2s.taboola.com" ], "ip": [ - "_ingest._value" + "151.101.66.2", + "151.101.130.2", + "151.101.194.2", + "151.101.2.2" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303724Z", + "ingested": "2021-06-01T09:52:58.850813400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9123,11 +9346,12 @@ "x.bidswitch.net" ], "ip": [ - "_ingest._value" + "35.231.30.22", + "35.196.212.198" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303729500Z", + "ingested": "2021-06-01T09:52:58.850822Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.231.30.22;::ffff:35.196.212.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9259,11 +9483,20 @@ "pixel.adsafeprotected.com" ], "ip": [ - "_ingest._value" + "199.166.0.26", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303734800Z", + "ingested": "2021-06-01T09:52:58.850827600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9399,11 +9632,22 @@ "ml314.com" ], "ip": [ - "_ingest._value" + "35.171.48.231", + "52.206.107.32", + "35.175.80.59", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303740200Z", + "ingested": "2021-06-01T09:52:58.850831400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9540,11 +9784,22 @@ "aa.agkn.com" ], "ip": [ - "_ingest._value" + "156.154.200.36", + "63.251.88.56", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303745700Z", + "ingested": "2021-06-01T09:52:58.850837200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9676,11 +9931,20 @@ "s0.2mdn.net" ], "ip": [ - "_ingest._value" + "172.217.10.134", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303751Z", + "ingested": "2021-06-01T09:52:58.850843200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9777,11 +10041,12 @@ "b.scorecardresearch.com" ], "ip": [ - "_ingest._value" + "23.50.53.195", + "23.50.53.185" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303756300Z", + "ingested": "2021-06-01T09:52:58.850850400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9883,11 +10148,14 @@ "edw.edmunds.com" ], "ip": [ - "_ingest._value" + "151.101.130.2", + "151.101.194.2", + "151.101.2.2", + "151.101.66.2" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303761900Z", + "ingested": "2021-06-01T09:52:58.850859Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9974,11 +10242,11 @@ "ocsp.digicert.com" ], "ip": [ - "_ingest._value" + "72.21.91.29" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303767300Z", + "ingested": "2021-06-01T09:52:58.850867700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10110,11 +10378,20 @@ "pre-usermatch.targeting.unrulymedia.com" ], "ip": [ - "_ingest._value" + "35.167.55.0", + "52.24.219.168", + "52.43.21.209", + "54.200.225.167", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303772800Z", + "ingested": "2021-06-01T09:52:58.850872800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10256,11 +10533,22 @@ "farm.plista.com" ], "ip": [ - "_ingest._value" + "144.76.67.119", + "148.251.77.207", + "148.251.15.115", + "176.9.103.51", + "88.198.208.110", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303776900Z", + "ingested": "2021-06-01T09:52:58.850878800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10392,11 +10680,19 @@ "beacon.krxd.net" ], "ip": [ - "_ingest._value" + "50.17.180.35", + "50.19.103.40", + "50.19.210.19", + "50.19.117.149", + "50.19.222.244", + "50.19.222.88", + "50.19.81.100", + "54.204.10.30", + "192.5.6.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303781700Z", + "ingested": "2021-06-01T09:52:58.850887500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10473,7 +10769,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.303787Z", + "ingested": "2021-06-01T09:52:58.850895900Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10528,7 +10824,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303792500Z", + "ingested": "2021-06-01T09:52:58.850904400Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10579,7 +10875,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303796700Z", + "ingested": "2021-06-01T09:52:58.850912500Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10640,7 +10936,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303801300Z", + "ingested": "2021-06-01T09:52:58.850916900Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10701,7 +10997,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303806800Z", + "ingested": "2021-06-01T09:52:58.850921400Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10762,7 +11058,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303811Z", + "ingested": "2021-06-01T09:52:58.850925500Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10823,7 +11119,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303815200Z", + "ingested": "2021-06-01T09:52:58.850931600Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10881,7 +11177,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303820Z", + "ingested": "2021-06-01T09:52:58.850940400Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10942,7 +11238,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.303824500Z", + "ingested": "2021-06-01T09:52:58.850946800Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11032,11 +11328,11 @@ "dsum.casalemedia.com" ], "ip": [ - "_ingest._value" + "23.52.162.21" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303829300Z", + "ingested": "2021-06-01T09:52:58.850952400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11173,11 +11469,21 @@ "sync.mathtag.com" ], "ip": [ - "_ingest._value" + "216.200.232.235", + "216.200.232.201", + "74.121.138.26", + "216.200.232.185", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303834700Z", + "ingested": "2021-06-01T09:52:58.850987900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11269,11 +11575,11 @@ "status.rapidssl.com" ], "ip": [ - "_ingest._value" + "72.21.91.29" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303840500Z", + "ingested": "2021-06-01T09:52:58.850997900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11410,11 +11716,21 @@ "sync.extend.tv" ], "ip": [ - "_ingest._value" + "34.197.195.131", + "34.192.39.82", + "34.199.231.204", + "34.199.113.81", + "34.197.3.157", + "34.205.112.156", + "34.195.29.8", + "34.201.247.123", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303846Z", + "ingested": "2021-06-01T09:52:58.851006800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11546,11 +11862,20 @@ "ocsp.comodoca.com" ], "ip": [ - "_ingest._value" + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303895400Z", + "ingested": "2021-06-01T09:52:58.851015400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11662,11 +11987,14 @@ "sync-tm.everesttech.net" ], "ip": [ - "_ingest._value" + "151.101.2.49", + "151.101.66.49", + "151.101.130.49", + "151.101.194.49" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303899300Z", + "ingested": "2021-06-01T09:52:58.851023900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11803,11 +12131,22 @@ "idsync.rlcdn.com" ], "ip": [ - "_ingest._value" + "34.95.92.78", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303903500Z", + "ingested": "2021-06-01T09:52:58.851032400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11919,11 +12258,16 @@ "cm.adform.net" ], "ip": [ - "_ingest._value" + "37.157.2.239", + "37.157.6.253", + "37.157.2.238", + "37.157.4.25", + "37.157.4.24", + "37.157.6.247" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303907100Z", + "ingested": "2021-06-01T09:52:58.851041300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12005,11 +12349,11 @@ "dm.hybrid.ai" ], "ip": [ - "_ingest._value" + "37.18.16.16" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303913300Z", + "ingested": "2021-06-01T09:52:58.851049600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:37.18.16.16;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12141,11 +12485,20 @@ "static.adsafeprotected.com" ], "ip": [ - "_ingest._value" + "199.166.0.32", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303918400Z", + "ingested": "2021-06-01T09:52:58.851058100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12247,11 +12600,14 @@ "trc.taboola.com" ], "ip": [ - "_ingest._value" + "151.101.130.2", + "151.101.194.2", + "151.101.2.2", + "151.101.66.2" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303923400Z", + "ingested": "2021-06-01T09:52:58.851066800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12332,11 +12688,11 @@ "pippio.com" ], "ip": [ - "_ingest._value" + "107.178.254.65" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303928800Z", + "ingested": "2021-06-01T09:52:58.851075600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:107.178.254.65;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12468,11 +12824,20 @@ "pixel-sync.sitescout.com" ], "ip": [ - "_ingest._value" + "209.15.36.34", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303934500Z", + "ingested": "2021-06-01T09:52:58.851084100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12604,11 +12969,21 @@ "prod.y-medialink.com" ], "ip": [ - "_ingest._value" + "35.186.202.217", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303939800Z", + "ingested": "2021-06-01T09:52:58.851092500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12720,11 +13095,16 @@ "jadserve.postrelease.com" ], "ip": [ - "_ingest._value" + "54.80.117.178", + "3.217.22.176", + "35.153.215.15", + "52.207.54.164", + "52.204.186.237", + "52.86.46.105" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303943700Z", + "ingested": "2021-06-01T09:52:58.851101100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12856,11 +13236,20 @@ "appnexus-partners.tremorhub.com" ], "ip": [ - "_ingest._value" + "107.21.43.184", + "54.164.220.86", + "52.72.172.174", + "3.209.65.250", + "3.94.51.187", + "34.193.211.130", + "18.214.47.10", + "18.214.151.246", + "192.5.6.30", + "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303948400Z", + "ingested": "2021-06-01T09:52:58.851109900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12982,11 +13371,17 @@ "x.dlx.addthis.com" ], "ip": [ - "_ingest._value" + "107.21.14.70", + "107.23.33.163", + "23.22.192.59", + "100.24.96.238", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303954900Z", + "ingested": "2021-06-01T09:52:58.851118300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13108,11 +13503,17 @@ "dh.serving-sys.com" ], "ip": [ - "_ingest._value" + "18.205.112.71", + "50.19.40.146", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303960500Z", + "ingested": "2021-06-01T09:52:58.851126700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13254,11 +13655,22 @@ "match.sharethrough.com" ], "ip": [ - "_ingest._value" + "52.55.160.246", + "3.211.67.240", + "35.173.61.59", + "34.233.179.235", + "34.228.105.237", + "52.7.23.213", + "52.201.177.113", + "34.235.70.251", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303965Z", + "ingested": "2021-06-01T09:52:58.851135300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13390,11 +13802,21 @@ "tags.rd.linksynergy.com" ], "ip": [ - "_ingest._value" - ] - }, - "event": { - "ingested": "2021-05-06T11:45:02.303969700Z", + "35.241.16.233", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "event": { + "ingested": "2021-06-01T09:52:58.851143800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13521,11 +13943,18 @@ "rtb-csync.smartadserver.com" ], "ip": [ - "_ingest._value" + "199.187.193.166", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303974900Z", + "ingested": "2021-06-01T09:52:58.851152400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13657,11 +14086,20 @@ "sc.iasds01.com" ], "ip": [ - "_ingest._value" + "199.166.0.200", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303982200Z", + "ingested": "2021-06-01T09:52:58.851161Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13793,11 +14231,20 @@ "dt.adsafeprotected.com" ], "ip": [ - "_ingest._value" + "104.244.38.20", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303988Z", + "ingested": "2021-06-01T09:52:58.851169400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13889,11 +14336,11 @@ "status.thawte.com" ], "ip": [ - "_ingest._value" + "72.21.91.29" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303993400Z", + "ingested": "2021-06-01T09:52:58.851177800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14032,11 +14479,18 @@ "ads.stickyadstv.com" ], "ip": [ - "_ingest._value" + "38.134.110.101", + "38.134.110.143", + "38.134.110.141", + "38.134.110.171", + "38.134.110.177", + "38.134.110.115", + "38.134.110.104", + "38.134.110.114" ] }, "event": { - "ingested": "2021-05-06T11:45:02.303999300Z", + "ingested": "2021-06-01T09:52:58.851186500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14128,11 +14582,11 @@ "hbx.media.net" ], "ip": [ - "_ingest._value" + "23.52.167.93" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304004900Z", + "ingested": "2021-06-01T09:52:58.851195Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14234,11 +14688,14 @@ "match.taboola.com" ], "ip": [ - "_ingest._value" + "151.101.194.49", + "151.101.2.49", + "151.101.66.49", + "151.101.130.49" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304009400Z", + "ingested": "2021-06-01T09:52:58.851203300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14330,11 +14787,12 @@ "img-s-msn-com.akamaized.net" ], "ip": [ - "_ingest._value" + "23.50.53.185", + "23.50.53.194" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304013500Z", + "ingested": "2021-06-01T09:52:58.851212Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14426,11 +14884,12 @@ "static-entertainment-eus-s-msn-com.akamaized.net" ], "ip": [ - "_ingest._value" + "23.50.53.194", + "23.50.53.186" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304018300Z", + "ingested": "2021-06-01T09:52:58.851220400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14522,11 +14981,11 @@ "radarmaps.weather.microsoft.com" ], "ip": [ - "_ingest._value" + "23.217.149.91" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304022800Z", + "ingested": "2021-06-01T09:52:58.851229400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14618,11 +15077,12 @@ "static-entertainment-eus-s-msn-com.akamaized.net" ], "ip": [ - "_ingest._value" + "23.50.53.194", + "23.50.53.186" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304027300Z", + "ingested": "2021-06-01T09:52:58.851238100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14709,11 +15169,11 @@ "tag.sp.advertising.com" ], "ip": [ - "_ingest._value" + "152.195.32.163" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304031500Z", + "ingested": "2021-06-01T09:52:58.851246900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14810,11 +15270,12 @@ "www.bing.com" ], "ip": [ - "_ingest._value" + "204.79.197.200", + "13.107.21.200" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304036100Z", + "ingested": "2021-06-01T09:52:58.851255400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14906,11 +15367,11 @@ "cdn.doubleverify.com" ], "ip": [ - "_ingest._value" + "23.52.164.109" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304040400Z", + "ingested": "2021-06-01T09:52:58.851260500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15014,11 +15475,11 @@ "cdn3.doubleverify.com" ], "ip": [ - "_ingest._value" + "23.52.164.109" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304045Z", + "ingested": "2021-06-01T09:52:58.851266900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15110,11 +15571,11 @@ "rtb0.doubleverify.com" ], "ip": [ - "_ingest._value" + "204.154.111.122" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304050100Z", + "ingested": "2021-06-01T09:52:58.851273800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15206,11 +15667,11 @@ "dev.virtualearth.net" ], "ip": [ - "_ingest._value" + "20.36.236.157" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304054100Z", + "ingested": "2021-06-01T09:52:58.851280600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15302,11 +15763,11 @@ "t.ssl.ak.dynamic.tiles.virtualearth.net" ], "ip": [ - "_ingest._value" + "23.52.161.238" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304059100Z", + "ingested": "2021-06-01T09:52:58.851289300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15443,11 +15904,22 @@ "rp.gwallet.com" ], "ip": [ - "_ingest._value" + "74.217.253.61", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304064700Z", + "ingested": "2021-06-01T09:52:58.851297600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15549,11 +16021,14 @@ "ads.yahoo.com" ], "ip": [ - "_ingest._value" + "98.139.225.43", + "98.138.49.44", + "72.30.3.43", + "216.155.194.56" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304070400Z", + "ingested": "2021-06-01T09:52:58.851305400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15652,11 +16127,13 @@ "um.simpli.fi" ], "ip": [ - "_ingest._value" + "169.55.104.49", + "169.60.66.35", + "169.61.103.241" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304075500Z", + "ingested": "2021-06-01T09:52:58.851311800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15788,11 +16265,21 @@ "mpp.vindicosuite.com" ], "ip": [ - "_ingest._value" + "35.186.236.204", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304080900Z", + "ingested": "2021-06-01T09:52:58.851320300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15874,11 +16361,11 @@ "sync.1rx.io" ], "ip": [ - "_ingest._value" + "8.41.222.152" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304086300Z", + "ingested": "2021-06-01T09:52:58.851326800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:8.41.222.152;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15970,11 +16457,11 @@ "sync.teads.tv" ], "ip": [ - "_ingest._value" + "23.52.160.7" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304091700Z", + "ingested": "2021-06-01T09:52:58.851331Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16111,11 +16598,21 @@ "s.thebrighttag.com" ], "ip": [ - "_ingest._value" + "3.15.109.176", + "52.15.225.252", + "3.18.121.79", + "3.15.101.187", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304097100Z", + "ingested": "2021-06-01T09:52:58.851336400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16202,11 +16699,11 @@ "t.a3cloud.net" ], "ip": [ - "_ingest._value" + "54.192.55.189" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304102400Z", + "ingested": "2021-06-01T09:52:58.851342400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16298,11 +16795,11 @@ "tps618.doubleverify.com" ], "ip": [ - "_ingest._value" + "204.154.111.122" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304108200Z", + "ingested": "2021-06-01T09:52:58.851348200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16439,11 +16936,19 @@ "dpm.demdex.net" ], "ip": [ - "_ingest._value" + "54.157.69.185", + "18.209.139.81", + "18.233.36.36", + "52.54.198.81", + "52.55.201.28", + "18.210.34.44", + "52.72.163.149", + "18.232.198.130", + "192.5.6.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304113600Z", + "ingested": "2021-06-01T09:52:58.851354800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16585,11 +17090,21 @@ "secure.adnxs.com" ], "ip": [ - "_ingest._value" + "68.67.179.228", + "68.67.180.44", + "204.13.192.141", + "68.67.178.230", + "68.67.178.252", + "68.67.179.23", + "68.67.179.232", + "68.67.180.12", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304119100Z", + "ingested": "2021-06-01T09:52:58.851359300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16681,11 +17196,11 @@ "tps.doubleverify.com" ], "ip": [ - "_ingest._value" + "204.154.111.122" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304124500Z", + "ingested": "2021-06-01T09:52:58.851363300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16822,11 +17337,21 @@ "i.liadm.com" ], "ip": [ - "_ingest._value" + "52.71.175.22", + "52.71.208.229", + "52.86.201.172", + "52.7.6.198", + "54.152.156.164", + "54.152.56.202", + "54.164.15.83", + "52.86.191.75", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304130100Z", + "ingested": "2021-06-01T09:52:58.851369200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16963,11 +17488,22 @@ "pixel.s3xified.com" ], "ip": [ - "_ingest._value" + "67.231.251.189", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304135700Z", + "ingested": "2021-06-01T09:52:58.851374Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17099,11 +17635,21 @@ "router.infolinks.com" ], "ip": [ - "_ingest._value" + "104.20.252.85", + "104.20.253.85", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304141Z", + "ingested": "2021-06-01T09:52:58.851377900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17230,11 +17776,20 @@ "grey.erne.co" ], "ip": [ - "_ingest._value" + "94.23.171.206", + "188.165.137.78", + "87.98.128.108", + "94.23.73.243", + "94.23.144.220", + "87.98.228.78", + "188.165.27.173", + "87.98.252.5", + "188.165.4.142", + "87.98.242.60" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304145200Z", + "ingested": "2021-06-01T09:52:58.851384900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17371,11 +17926,22 @@ "sync.jivox.com" ], "ip": [ - "_ingest._value" + "54.243.145.203", + "54.221.211.153", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304149900Z", + "ingested": "2021-06-01T09:52:58.851395900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17717,11 +18283,62 @@ "b1sync.zemanta.com" ], "ip": [ - "_ingest._value" + "207.244.121.25", + "108.59.0.1", + "162.210.196.115", + "207.244.94.20", + "108.59.0.12", + "207.244.121.65", + "162.210.199.69", + "207.244.76.83", + "162.210.197.137", + "207.244.108.217", + "207.244.121.137", + "207.244.67.99", + "198.7.56.229", + "198.7.56.231", + "108.59.4.172", + "108.62.117.43", + "108.59.4.171", + "207.244.121.27", + "207.244.71.67", + "207.244.121.70", + "199.58.84.25", + "207.244.67.98", + "162.210.196.116", + "207.244.73.10", + "207.244.110.3", + "108.59.4.173", + "108.59.0.8", + "207.244.71.88", + "207.244.121.73", + "207.244.69.231", + "108.59.0.2", + "207.244.121.74", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30", + "2001:503:d414::30", + "192.42.93.30", + "2001:503:eea3::30", + "192.54.112.30", + "2001:502:8cc::30", + "192.43.172.30", + "2001:503:39c1::30", + "192.48.79.30", + "2001:502:7094::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304155300Z", + "ingested": "2021-06-01T09:52:58.851405Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17873,11 +18490,24 @@ "tg.socdm.com" ], "ip": [ - "_ingest._value" + "124.146.215.43", + "202.241.208.53", + "124.146.215.46", + "202.241.208.52", + "124.146.215.48", + "124.146.215.45", + "202.241.208.54", + "124.146.215.47", + "124.146.215.42", + "124.146.215.44", + "202.241.208.55", + "202.241.208.56", + "192.5.6.30", + "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304160100Z", + "ingested": "2021-06-01T09:52:58.851413400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17971,11 +18601,11 @@ "prebid.adnxs.com" ], "ip": [ - "_ingest._value" + "68.67.153.75" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304164200Z", + "ingested": "2021-06-01T09:52:58.851421800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18072,11 +18702,11 @@ "ul1.dvtps.com" ], "ip": [ - "_ingest._value" + "204.154.111.122" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304169Z", + "ingested": "2021-06-01T09:52:58.851430600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18150,7 +18780,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.304173500Z", + "ingested": "2021-06-01T09:52:58.851439100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18242,11 +18872,11 @@ "tags.bluekai.com" ], "ip": [ - "_ingest._value" + "23.3.125.199" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304177800Z", + "ingested": "2021-06-01T09:52:58.851447500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18383,11 +19013,22 @@ "cdnjs.cloudflare.com" ], "ip": [ - "_ingest._value" + "104.19.195.151", + "104.19.199.151", + "104.19.198.151", + "104.19.197.151", + "104.19.196.151", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304182Z", + "ingested": "2021-06-01T09:52:58.851455900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18524,11 +19165,22 @@ "pixel.onaudience.com" ], "ip": [ - "_ingest._value" + "85.194.243.23", + "85.194.243.239", + "85.194.240.137", + "85.194.242.103", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304185700Z", + "ingested": "2021-06-01T09:52:58.851464500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18620,11 +19272,11 @@ "status.geotrust.com" ], "ip": [ - "_ingest._value" + "72.21.91.29" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304190400Z", + "ingested": "2021-06-01T09:52:58.851473Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18756,11 +19408,20 @@ "ocsp.trust-provider.com" ], "ip": [ - "_ingest._value" + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304195800Z", + "ingested": "2021-06-01T09:52:58.851478300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18899,11 +19560,20 @@ "ocsp.comodoca4.com" ], "ip": [ - "_ingest._value" + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304201300Z", + "ingested": "2021-06-01T09:52:58.851481900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19035,11 +19705,19 @@ "sync.crwdcntrl.net" ], "ip": [ - "_ingest._value" + "52.4.111.14", + "52.205.68.184", + "52.0.28.154", + "34.225.82.232", + "18.213.13.245", + "52.22.171.66", + "52.207.199.229", + "52.72.57.144", + "192.5.6.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304206600Z", + "ingested": "2021-06-01T09:52:58.851487900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19161,11 +19839,16 @@ "match.sync.ad.cpe.dotomi.com" ], "ip": [ - "_ingest._value" + "159.127.42.114", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304212Z", + "ingested": "2021-06-01T09:52:58.851494Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19264,11 +19947,11 @@ "tps10230.doubleverify.com" ], "ip": [ - "_ingest._value" + "204.154.111.122" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304217300Z", + "ingested": "2021-06-01T09:52:58.851501500Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19367,11 +20050,11 @@ "tps10221.doubleverify.com" ], "ip": [ - "_ingest._value" + "204.154.111.122" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304222700Z", + "ingested": "2021-06-01T09:52:58.851510200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19503,11 +20186,20 @@ "www.facebook.com" ], "ip": [ - "_ingest._value" + "31.13.71.36", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304228Z", + "ingested": "2021-06-01T09:52:58.851515200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19614,11 +20306,11 @@ "platform.twitter.com" ], "ip": [ - "_ingest._value" + "192.229.163.25" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304233400Z", + "ingested": "2021-06-01T09:52:58.851519300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19755,11 +20447,22 @@ "syndication.twitter.com" ], "ip": [ - "_ingest._value" + "104.244.42.8", + "104.244.42.200", + "104.244.42.136", + "104.244.42.72", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304238800Z", + "ingested": "2021-06-01T09:52:58.851525100Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19846,11 +20549,11 @@ "ade.googlesyndication.com" ], "ip": [ - "_ingest._value" + "172.217.10.34" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304244300Z", + "ingested": "2021-06-01T09:52:58.851530Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19942,11 +20645,11 @@ "iecvlist.microsoft.com" ], "ip": [ - "_ingest._value" + "72.21.81.200" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304249800Z", + "ingested": "2021-06-01T09:52:58.851537400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20033,11 +20736,11 @@ "tsfe.trafficshaping.dsp.mp.microsoft.com" ], "ip": [ - "_ingest._value" + "40.77.232.95" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304255400Z", + "ingested": "2021-06-01T09:52:58.851545900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20111,7 +20814,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.304260800Z", + "ingested": "2021-06-01T09:52:58.851554400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20182,7 +20885,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.304267900Z", + "ingested": "2021-06-01T09:52:58.851562900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20253,7 +20956,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.304273600Z", + "ingested": "2021-06-01T09:52:58.851571700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20350,11 +21053,11 @@ "v10.vortex-win.data.microsoft.com" ], "ip": [ - "_ingest._value" + "65.55.44.109" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304279Z", + "ingested": "2021-06-01T09:52:58.851577Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20441,11 +21144,11 @@ "settings-win.data.microsoft.com" ], "ip": [ - "_ingest._value" + "20.36.218.63" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304283800Z", + "ingested": "2021-06-01T09:52:58.851583200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20543,7 +21246,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.304287400Z", + "ingested": "2021-06-01T09:52:58.851590300Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20599,7 +21302,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-05-06T11:45:02.304292300Z", + "ingested": "2021-06-01T09:52:58.851597400Z", "code": "25", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20673,7 +21376,7 @@ ] }, "event": { - "ingested": "2021-05-06T11:45:02.304297500Z", + "ingested": "2021-06-01T09:52:58.851602400Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20767,7 +21470,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.304302300Z", + "ingested": "2021-06-01T09:52:58.851608500Z", "code": "7", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20827,7 +21530,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.304306400Z", + "ingested": "2021-06-01T09:52:58.851617100Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20899,7 +21602,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-05-06T11:45:02.304311600Z", + "ingested": "2021-06-01T09:52:58.851622700Z", "code": "24", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20957,7 +21660,7 @@ "level": "information" }, "event": { - "ingested": "2021-05-06T11:45:02.304316900Z", + "ingested": "2021-06-01T09:52:58.851628800Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21077,11 +21780,17 @@ "c.urs.microsoft.com" ], "ip": [ - "_ingest._value" + "40.121.17.79", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30" ] }, "event": { - "ingested": "2021-05-06T11:45:02.304321100Z", + "ingested": "2021-06-01T09:52:58.851634200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..6ab4cf311b2 --- /dev/null +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml @@ -0,0 +1,10 @@ +input: httpjson +service: sysmon-operational +service_notify_signal: SIGHUP +vars: + url: http://{{Hostname}}:{{Port}}/api/v1/logs + username: test + password: test +data_stream: + vars: + preserve_original_event: true diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index 5b5c93a79bc..4af763c7e73 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -841,8 +841,9 @@ processors: processor: append: field: related.ip - value: _ingest._value + value: "{{_ingest._value}}" allow_duplicates: false + ignore_failure: true - community_id: ignore_failure: true ignore_missing: false diff --git a/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml b/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml index a9a65458fc5..780043c0f6e 100644 --- a/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml +++ b/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml @@ -19,3 +19,8 @@ - name: '@timestamp' type: date description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/data_stream/sysmon_operational/fields/beats.yml b/packages/windows/data_stream/sysmon_operational/fields/beats.yml new file mode 100644 index 00000000000..3c48f1f224f --- /dev/null +++ b/packages/windows/data_stream/sysmon_operational/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/data_stream/sysmon_operational/sample_event.json b/packages/windows/data_stream/sysmon_operational/sample_event.json new file mode 100644 index 00000000000..0c3c149e4a9 --- /dev/null +++ b/packages/windows/data_stream/sysmon_operational/sample_event.json @@ -0,0 +1,124 @@ +{ + "@timestamp": "2019-07-18T03:34:01.261Z", + "agent": { + "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b", + "hostname": "docker-fleet-agent", + "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.13.0" + }, + "data_stream": { + "dataset": "windows.sysmon_operational", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "1.9.0" + }, + "elastic_agent": { + "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322", + "snapshot": true, + "version": "7.13.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "dataset": "windows.sysmon_operational", + "ingested": "2021-06-01T10:25:35.382586400Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "www.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "tags": [ + "forwarded" + ], + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } +} \ No newline at end of file diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 5a20d5c4bf3..2786f83e4b2 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -133,6 +133,93 @@ channel specific datasets. The Windows `powershell` dataset provides events from the Windows `Windows PowerShell` event log. +An example event for `powershell` looks as following: + +```$json +{ + "@timestamp": "2020-05-13T13:21:43.183Z", + "agent": { + "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b", + "hostname": "docker-fleet-agent", + "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.13.0" + }, + "data_stream": { + "dataset": "windows.powershell", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.9.0" + }, + "elastic_agent": { + "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322", + "snapshot": true, + "version": "7.13.0" + }, + "event": { + "category": "process", + "code": "600", + "created": "2021-06-01T10:23:48.533Z", + "dataset": "windows.powershell", + "ingested": "2021-06-01T10:23:49.554043100Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "tags": [ + "forwarded" + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1089" + } +} +``` + **Exported fields** | Field | Description | Type | @@ -183,7 +270,7 @@ The Windows `powershell` dataset provides events from the Windows | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.name | Name of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | @@ -192,6 +279,7 @@ The Windows `powershell` dataset provides events from the Windows | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | | log.level | Original log level of the log event. | keyword | | powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | | powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | @@ -375,6 +463,86 @@ The Windows `powershell` dataset provides events from the Windows The Windows `powershell_operational` dataset provides events from the Windows `Microsoft-Windows-PowerShell/Operational` event log. +An example event for `powershell_operational` looks as following: + +```$json +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b", + "hostname": "docker-fleet-agent", + "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.13.0" + }, + "data_stream": { + "dataset": "windows.powershell_operational", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.9.0" + }, + "elastic_agent": { + "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322", + "snapshot": true, + "version": "7.13.0" + }, + "event": { + "category": "process", + "code": "4105", + "created": "2021-06-01T10:24:43.254Z", + "dataset": "windows.powershell_operational", + "ingested": "2021-06-01T10:24:44.277129100Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} +``` + **Exported fields** | Field | Description | Type | @@ -425,7 +593,7 @@ The Windows `powershell_operational` dataset provides events from the Windows | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.name | Name of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | @@ -434,6 +602,7 @@ The Windows `powershell_operational` dataset provides events from the Windows | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | | log.level | Original log level of the log event. | keyword | | powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | | powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | @@ -617,6 +786,135 @@ The Windows `powershell_operational` dataset provides events from the Windows The Windows `sysmon_operational` dataset provides events from the Windows `Microsoft-Windows-Sysmon/Operational` event log. +An example event for `sysmon_operational` looks as following: + +```$json +{ + "@timestamp": "2019-07-18T03:34:01.261Z", + "agent": { + "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b", + "hostname": "docker-fleet-agent", + "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.13.0" + }, + "data_stream": { + "dataset": "windows.sysmon_operational", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "1.9.0" + }, + "elastic_agent": { + "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322", + "snapshot": true, + "version": "7.13.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "dataset": "windows.sysmon_operational", + "ingested": "2021-06-01T10:25:35.382586400Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "www.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "tags": [ + "forwarded" + ], + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } +} +``` + **Exported fields** | Field | Description | Type | @@ -715,6 +1013,7 @@ The Windows `sysmon_operational` dataset provides events from the Windows | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | | log.level | Original log level of the log event. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. | text | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. | keyword | @@ -768,6 +1067,7 @@ The Windows `sysmon_operational` dataset provides events from the Windows | sysmon.dns.status | Windows status code returned for the DNS query. | keyword | | sysmon.file.archived | Indicates if the deleted file was archived. | boolean | | sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean | +| tags | List of keywords used to tag each event. | keyword | | user.domain | Name of the directory the user is a member of. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 532bb44b9a3..81ce32d405a 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 0.8.1 +version: 0.8.2 description: Windows Integration type: integration categories: From 176458d1239db8d8e3b7a2a4cc89a9d9a9c6cad7 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 7 Jun 2021 18:00:58 +0200 Subject: [PATCH 2/2] Use new mock server --- .../_dev/deploy/docker/docker-compose.yml | 48 +---- .../_dev/deploy/docker/files/config.yml | 177 ++++++++++++++++++ .../docker/sample_logs/forwarded.json.log | 1 - .../docker/sample_logs/powershell.json.log | 1 - .../powershell_operational.json.log | 1 - .../sample_logs/sysmon_operational.json.log | 1 - .../_dev/test/system/test-default-config.yml | 5 +- .../_dev/test/system/test-default-config.yml | 5 +- .../_dev/test/system/test-default-config.yml | 5 +- .../_dev/test/system/test-default-config.yml | 5 +- packages/windows/docs/README.md | 6 +- 11 files changed, 193 insertions(+), 62 deletions(-) create mode 100644 packages/windows/_dev/deploy/docker/files/config.yml delete mode 100644 packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log delete mode 100644 packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log delete mode 100644 packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log delete mode 100644 packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log diff --git a/packages/windows/_dev/deploy/docker/docker-compose.yml b/packages/windows/_dev/deploy/docker/docker-compose.yml index 7a5ad05e4fd..df09dbfb8c1 100644 --- a/packages/windows/_dev/deploy/docker/docker-compose.yml +++ b/packages/windows/_dev/deploy/docker/docker-compose.yml @@ -1,50 +1,12 @@ version: '2.3' services: - forwarded: - image: docker.elastic.co/observability/stream:v0.4.0 + splunk-mock: + image: docker.elastic.co/observability/stream:v0.5.0 ports: - 8080 volumes: - - ./sample_logs:/sample_logs:ro + - ./files:/files:ro command: - - log - - --start-signal=SIGHUP + - http-server - --addr=:8080 - - -p=http-server - - /sample_logs/forwarded.json.log - powershell: - image: docker.elastic.co/observability/stream:v0.4.0 - ports: - - 8080 - volumes: - - ./sample_logs:/sample_logs:ro - command: - - log - - --start-signal=SIGHUP - - --addr=:8080 - - -p=http-server - - /sample_logs/powershell.json.log - powershell-operational: - image: docker.elastic.co/observability/stream:v0.4.0 - ports: - - 8080 - volumes: - - ./sample_logs:/sample_logs:ro - command: - - log - - --start-signal=SIGHUP - - --addr=:8080 - - -p=http-server - - /sample_logs/powershell_operational.json.log - sysmon-operational: - image: docker.elastic.co/observability/stream:v0.4.0 - ports: - - 8080 - volumes: - - ./sample_logs:/sample_logs:ro - command: - - log - - --start-signal=SIGHUP - - --addr=:8080 - - -p=http-server - - /sample_logs/sysmon_operational.json.log + - --config=/files/config.yml diff --git a/packages/windows/_dev/deploy/docker/files/config.yml b/packages/windows/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..aa311b5ba94 --- /dev/null +++ b/packages/windows/_dev/deploy/docker/files/config.yml @@ -0,0 +1,177 @@ +rules: + - path: /services/search/jobs/export + user: test + password: test + methods: + - POST + query_params: + index_earliest: "{index_earliest:[0-9]+}" + index_latest: "{index_latest:[0-9]+}" + output_mode: json + search: 'search sourcetype="XmlWinEventLog:ForwardedEvents" | streamstats max(_indextime) AS max_indextime' + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "preview": false, + "offset": 194, + "lastrow": true, + "result": { + "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38", + "_cd": "0:315", + "_indextime": "1622471463", + "_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623", + "_serial": "194", + "_si": [ + "69819b6ce1bd", + "main" + ], + "_sourcetype": "XmlWinEventLog:Security", + "_time": "2021-05-25 13:11:45.000 UTC", + "host": "VAGRANT", + "index": "main", + "linecount": "1", + "max_indextime": "1622471606", + "source": "WinEventLog:Security", + "sourcetype": "XmlWinEventLog:Security", + "splunk_server": "69819b6ce1bd" + } + } + - path: /services/search/jobs/export + user: test + password: test + methods: + - post + query_params: + index_earliest: "{index_earliest:[0-9]+}" + index_latest: "{index_latest:[0-9]+}" + output_mode: json + search: 'search sourcetype="XmlWinEventLog:Windows PowerShell" | streamstats max(_indextime) AS max_indextime' + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "preview": false, + "offset": 194, + "lastrow": true, + "result": { + "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38", + "_cd": "0:315", + "_indextime": "1622471463", + "_raw": "600460x800000000000001089Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x800000000000001266Windows PowerShellvagrantRegistryStarted\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x8000000000000018640Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "_serial": "194", + "_si": [ + "69819b6ce1bd", + "main" + ], + "_sourcetype": "XmlWinEventLog:Security", + "_time": "2021-05-25 13:11:45.000 UTC", + "host": "VAGRANT", + "index": "main", + "linecount": "1", + "max_indextime": "1622471606", + "source": "WinEventLog:Security", + "sourcetype": "XmlWinEventLog:Security", + "splunk_server": "69819b6ce1bd" + } + } + - path: /services/search/jobs/export + user: test + password: test + methods: + - post + query_params: + index_earliest: "{index_earliest:[0-9]+}" + index_latest: "{index_latest:[0-9]+}" + output_mode: json + search: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-Powershell/Operational" | streamstats max(_indextime) AS max_indextime' + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "preview": false, + "offset": 194, + "lastrow": true, + "result": { + "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38", + "_cd": "0:315", + "_indextime": "1622471463", + "_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623", + "_serial": "194", + "_si": [ + "69819b6ce1bd", + "main" + ], + "_sourcetype": "XmlWinEventLog:Security", + "_time": "2021-05-25 13:11:45.000 UTC", + "host": "VAGRANT", + "index": "main", + "linecount": "1", + "max_indextime": "1622471606", + "source": "WinEventLog:Security", + "sourcetype": "XmlWinEventLog:Security", + "splunk_server": "69819b6ce1bd" + } + } + - path: /services/search/jobs/export + user: test + password: test + methods: + - post + query_params: + index_earliest: "{index_earliest:[0-9]+}" + index_latest: "{index_latest:[0-9]+}" + output_mode: json + search: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | streamstats max(_indextime) AS max_indextime' + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "preview": false, + "offset": 194, + "lastrow": true, + "result": { + "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38", + "_cd": "0:315", + "_indextime": "1622471463", + "_raw": "22542200x800000000000000067Microsoft-Windows-Sysmon/Operationalvagrant-20162019-07-18 03:34:01.261{fa4a0de6-e8a9-5d2f-0000-001053699900}2736www.msn.com0type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "_serial": "194", + "_si": [ + "69819b6ce1bd", + "main" + ], + "_sourcetype": "XmlWinEventLog:Security", + "_time": "2021-05-25 13:11:45.000 UTC", + "host": "VAGRANT", + "index": "main", + "linecount": "1", + "max_indextime": "1622471606", + "source": "WinEventLog:Security", + "sourcetype": "XmlWinEventLog:Security", + "splunk_server": "69819b6ce1bd" + } + } diff --git a/packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log b/packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log deleted file mode 100644 index f9ff65c69e7..00000000000 --- a/packages/windows/_dev/deploy/docker/sample_logs/forwarded.json.log +++ /dev/null @@ -1 +0,0 @@ -{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log b/packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log deleted file mode 100644 index 8623d9c6bd9..00000000000 --- a/packages/windows/_dev/deploy/docker/sample_logs/powershell.json.log +++ /dev/null @@ -1 +0,0 @@ -{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "600460x800000000000001089Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x800000000000001266Windows PowerShellvagrantRegistryStarted\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x8000000000000018640Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log b/packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log deleted file mode 100644 index f9ff65c69e7..00000000000 --- a/packages/windows/_dev/deploy/docker/sample_logs/powershell_operational.json.log +++ /dev/null @@ -1 +0,0 @@ -{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log b/packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log deleted file mode 100644 index 33c2cbeffe1..00000000000 --- a/packages/windows/_dev/deploy/docker/sample_logs/sysmon_operational.json.log +++ /dev/null @@ -1 +0,0 @@ -{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "22542200x800000000000000067Microsoft-Windows-Sysmon/Operationalvagrant-20162019-07-18 03:34:01.261{fa4a0de6-e8a9-5d2f-0000-001053699900}2736www.msn.com0type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml index c917a6b9530..dfa8f5c9201 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml +++ b/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml @@ -1,8 +1,7 @@ input: httpjson -service: forwarded -service_notify_signal: SIGHUP +service: splunk-mock vars: - url: http://{{Hostname}}:{{Port}}/api/v1/logs + url: http://{{Hostname}}:{{Port}} username: test password: test data_stream: diff --git a/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml index bb647f0a2b5..dfa8f5c9201 100644 --- a/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml +++ b/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml @@ -1,8 +1,7 @@ input: httpjson -service: powershell -service_notify_signal: SIGHUP +service: splunk-mock vars: - url: http://{{Hostname}}:{{Port}}/api/v1/logs + url: http://{{Hostname}}:{{Port}} username: test password: test data_stream: diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml index c2870ada221..dfa8f5c9201 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml +++ b/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml @@ -1,8 +1,7 @@ input: httpjson -service: powershell-operational -service_notify_signal: SIGHUP +service: splunk-mock vars: - url: http://{{Hostname}}:{{Port}}/api/v1/logs + url: http://{{Hostname}}:{{Port}} username: test password: test data_stream: diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml index 6ab4cf311b2..dfa8f5c9201 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml @@ -1,8 +1,7 @@ input: httpjson -service: sysmon-operational -service_notify_signal: SIGHUP +service: splunk-mock vars: - url: http://{{Hostname}}:{{Port}}/api/v1/logs + url: http://{{Hostname}}:{{Port}} username: test password: test data_stream: diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 2786f83e4b2..85664a45fc5 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -135,7 +135,7 @@ The Windows `powershell` dataset provides events from the Windows An example event for `powershell` looks as following: -```$json +```json { "@timestamp": "2020-05-13T13:21:43.183Z", "agent": { @@ -465,7 +465,7 @@ The Windows `powershell_operational` dataset provides events from the Windows An example event for `powershell_operational` looks as following: -```$json +```json { "@timestamp": "2020-05-13T09:04:04.755Z", "agent": { @@ -788,7 +788,7 @@ The Windows `sysmon_operational` dataset provides events from the Windows An example event for `sysmon_operational` looks as following: -```$json +```json { "@timestamp": "2019-07-18T03:34:01.261Z", "agent": {